CARP virtual address/interface assignmet
I have an question regarding CARP on OpenBSD.
I have an public address, let say 220.127.116.11/24 --real ip address and I would like to build an redundant par of firewalls.
I am just wondering if I assing to ext_if=18.104.22.168 ( on both FWs ), what has to be ip address on carp1 on both firewalls ( could it be 22.214.171.124 --as it is virtual ).
Part related to virtual addresses/interfaces is confusing to me, if there is someone who understand this, could you please write what it could be ip assignment for above case where I have an public ip address=126.96.36.199
Thank you in advance
Serendipitously, I ran into the following which may be of some help in explaining:
Note that this source states that each CARP member will have a unique address. Which is correct? Re-read the manpage & experiment...
fxp0 --real interface , its config : cat hostname.fxp0 == up
so I just bring up real interface without assign any ip address to it
for carp interface I made
inet real_ip mask broadcast vhid 1 paas PASSWORD carpdev fxp0 advbase 1 advskew 0 state master description " CARP interface on fxp0 to outside network "
same on both firewals FW1 and FW2.
This enabled carp interface to have real ip address which is shared with second firewall.
Rule in pf.conf which enable nat-in to internal network is
nat on $ext_if from !($ext_if) to any -> ($carp_ext)
carp_ext=carp1 ( used macro in pf.conf )
and it works perfectly, firewall failover works super, and I want to say big thank to OpenBSD and CAPR/PF team, and invite all of you out there to support these fantastic projects.
|All times are GMT -5. The time now is 08:56 PM.|